Microsoft Releases Six Critical Patches

For the February security bulletin release, Microsoft rolled out six "Critical"
fixes -- rather than the seven detailed in the advanced
notice -- and five "Important" items.

This month's 11 patches -- said to fix 17 total bugs -- are the most Windows
IT pros have seen since August, and with a greater variation of vulnerability
plugs than at any time in the last 12 months, according to security experts.

"After several slow Patch Tuesdays, administrators are faced with the
most patches they've seen in a year," said Paul Zimski, senior director
of market strategy at Scottsdale, Ariz.-based Lumension Security. "Because so many critical patches affect so many applications
-- including Office, Internet Explorer and the operating systems themselves
-- these are widespread enough to have a bigger effect and they are going to
require the utmost attention and energy."

Moreover, Zimski added, with many remote code execution (RCE) flaws that don't require
end user consent, the potential for malware, botnets and rootkits is rampant.

The first critical issue is said to solve what Redmond said was a "privately
reported vulnerability" in the Web-based Distributed Authoring and Versioning
Mini-Redirector, or WebDAV Mini-Redirector. WebDAV, which enables
users to manage Web files on remote servers, is a set of extensions of
hypertext protocol most commonly known as "http:." This RCE implication constitutes
a hacker’s dream in a scenario where attackers can get in and take complete
control of a system, manage and edit files and create new accounts with elevated
user rights. The issue affects all Windows OS versions with the exception of
Windows 2000 SP4.

Critical patch No. 2 also resolves an internally reported hole. It's designed
to thwart attacks on Object Linking and Embedding (OLE) Automation, which is
a proprietary software feature from Redmond that allows linking to documents,
data and other objects on the Windows Component Object Model. For developers,
it serves as a way to customize user interfaces. With a specially crafted Web
page, an attacker could execute malicious code through OLE but the vulnerability
would only really be damaging if it were to affect user workstations that have
administrative profile parameters. The fix is for Windows, Office and Visual
Basic programs on all OS versions, although only Windows 2000 SP4 and all editions
of XP and Vista were labeled as "critical."

Yet another private vulnerability plug is designed to block bad code embedded
in specially crafted Word documents. A user could send a Word file, get it
opened by an unsuspecting user, and then gain access, going willy-nilly. The
vulnerability mainly affects Office SP3, Office XP SP3 and Office
2003 SP2.

The popular browser Internet Explorer was late last year plagued with problems,
and now the fourth critical bulletin will hopefully address most of those issues.
Specifically, Redmond says this cumulative patch addresses three private bugs
and one publicly reported one. Although these fixes -- affecting all versions
of IE up to and including IE 7 for Vista -- are yet to be specified, once that
patch is installed what's fixed and not fixed will come out in the rinse, security
experts contend.

"These vulnerabilities underscore the importance of having a full security
suite to protect consumers and enterprises from being exploited since it's obvious
they can no longer only rely on traditional best practices alone, such as avoiding
unknown or unexpected e-mail attachments or following Web links from unknown
sources," said Ben Greenbaum, senior research manager for Symantec Security
Response.

Meanwhile, the fifth critical bulletin affects Microsoft Office Publisher versions
2000 to 2003 and Office XP SP3. The patch resolves two privately reported vulnerabilities
in Office Publisher that could allow remote code execution through
a specially crafted Publisher file. One such example is an e-mail newsletter
than an end user probably shouldn't be opening in the first place.

The last critical issue affects the whole Office suite of applications,
most specifically Office 2000 SP3. Office XP SP3, Office 2003 SP2 and Office
2004 for Mac are all noted as "important" in regard to this patch.

While the critical issues will certainly keep a technologist's hands full,
there are also five so-called "important" bulletins in this month's
rollout.

The first one resolves a privately reported hole that can be exploited during
ramp-up of Active Directory on Windows 2000 Server, Windows Server
2003 and Active Directory Application Mode, particularly when installed on Windows
XP Professional and Windows Server 2003. This is a denial-of-service exploit
where a hacker simply shuts administrators out of the systems, creating outages,
work stoppages and other interruptions. On Windows Server 2003 and XP, however,
the hacker would need inside information, such as local log-on credentials.

The second fix addresses Transmission Control and Internet Protocol processing,
more commonly known as TCP/IP. It's a privately reported vulnerability where
hackers could force automatic restarts on a looped basis.

The third and fourth important patches affect Windows Internet Information Services
(IIS) and are poised to stop elevation of privilege and RCE exploits, respectively.
In the first case, the attacker would most likely need to have local credentials.
Meanwhile, the second one is remote and deals with ASP Web page inputs where
an attacker could take control of the IIS server by way of the Worker Process
Identity program, which is preset with network admin account privilege defaults
-- candy for a hacker.

The third patch affects every OS and Windows Server version with the exception
of Vista SP1 and the new Windows Server 2008, while the fourth covers XP professional
SP2 including the 64-bit editions and all Windows Server 2003 editions.

Security admins should give these two a close look, according to observers.

"The two important patches for IIS warrant attention because Web servers
are prime targets compared to an endpoint, and this is definitely not something
that you want to be vulnerable," said Lumension's Zimski.

The last of the bunch is an RCE bug unleashed via specially crafted Microsoft Works
or .WPS files with an affected version of Office, Microsoft Works
or Microsoft Works Suite. The bulletin synopsis says the bug it fixes is more
common on Office 2003 SP2 and SP3, as well as Microsoft Works 8.0 and Microsoft Works Suite
2005.

After the sweat is wiped from the brows of those ingesting all this, IT pros
should know that of the 11 total bulletins, six will require restarts.

"There were a lot of interesting items," said Eric Schultze, chief
technology officer at Shavlik Technologies in St. Paul, Minn. "It's going
to be busy but I did notice they pulled the critical JScript\VBScript patch
that they had planned. No indication from Microsoft as to why -- probably related
to last-minute testing failures. Client-side attack vectors will continue, malicious
files and Web pages, it's starting to get ho-hum boring. There'll be lots of
work, nonetheless."

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.